RE: [PATCH] Quake III Arena conntracker

Thu, 04 Apr 2002 12:49:35 -0800 

Mr. Filip,

--- Sneppe Filip <[EMAIL PROTECTED]> wrote:
> Brad Chapman wrote:
> >
> >       OK. I understand this analysis, but to me, it doesn't explain why 
> >this conntracker is needed. AFAICT on my system, everything is handled by
> >the basic UDP conntrack code. Could you explain it a little better, please?
> >
> 
> Ok, I'll try.
> 
> There is no problem playing Quake III behind a firewall that has an
> "allow all UDP traffic" policy. However, when you want to trim down
> the number of UDP ports to allow through your firewall, you run into
> the following issue: over a third of the Internet Quake III servers
> run on totally random ports, ie they don't use the default port 27960.
> Yet, the IP addresses and ports are registered with a master server,
> and that server can be queried by a Quake III client.

       Ah, OK. I see - I'm not dsoing UDP port limiting, so I've not run
into this difficulty yet; however, in the future I may change my policy....

> 
> So tightening the security policy would mean you couldn't connect to
> those servers anymore, hence the use of a connection tracking module
> that tracks the query responses from a master server and
> tags any future connection attempts as EXPECTED... As Harald noted,
> You can now just add one line to allow UDP traffic to the master
> server and then use --state RELATED for all the other game traffic.

       OK. Nice and simplistic - read the master server packets and setup
expectations for those servers - sounds really easy. NAT shouldn't be
too difficult.

> 
> Granted, this is not a conntracker that solves any problematic issues
> with this protocol like there are with ftp, irc, H.323, etc., but I
> just figured it would be a safe bet for a first attempt at writing
> a netfilter module. Once I get the NAT thing sorted out, I'll have
> a go at something more useful :-)

       Hey - this can be majorly useful. A _lot_ of the Q3A servers out there
are Linux systems, so having this available could be a major boon. Would you
mind horribly if I posted news about this code in some places you've
probably never heard of? ;)
  
> 
> Regards,
> Filip
>

Brad


=====
Brad Chapman

Permanent e-mail: [EMAIL PROTECTED]
Current e-mail: [EMAIL PROTECTED]
Alternate e-mail: [EMAIL PROTECTED]

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

Reply via email to